fix: add cause error messages also on generic token parse failures MONGOSH-2884 (#234)

Otherwise, error messages are short and potentially not very helpful.
We already implemented this for HTTP errors earlier in 4f69e53
and improved on it in cb07f51, but did not account for these
specific types of very broad generic failures.

Author: addaleax

src/plugin.spec.ts

@@ -1704,6 +1704,36 @@ describe('OIDC plugin (mock OIDC provider)', function () {
       expect(entry.error).to.include(selfSignedReason);
     });
 
+    it('logs helpful error messages for OIDC token parse failures', async function () {
+      getTokenPayload = () => ({
+        expires_in: tokenPayload.expires_in,
+        payload: { ...tokenPayload.payload, nonce: undefined },
+      });
+      const plugin = createMongoDBOIDCPlugin({
+        openBrowserTimeout: 60_000,
+        openBrowser: fetchBrowser,
+        allowedFlows: ['auth-code'],
+        redirectURI: 'http://localhost:0/callback',
+      });
+
+      try {
+        await requestToken(plugin, {
+          issuer: provider.issuer,
+          clientId: 'mockclientid',
+          requestScopes: [],
+        });
+        expect.fail('missed exception');
+      } catch (err: any) {
+        expect(err.message).to.equal(
+          'invalid response encountered (caused by: JWT "nonce" (nonce) claim missing)'
+        );
+        expect(err.cause.message).to.equal('invalid response encountered');
+        expect(err.cause.cause.message).to.equal(
+          'JWT "nonce" (nonce) claim missing'
+        );
+      }
+    });
+
     it('handles JSON failure responses from the IDP', async function () {
       overrideRequestHandler = (url, req, res) => {
         if (new URL(url).pathname.endsWith('/token')) {

src/util.ts

@@ -254,20 +254,30 @@ function getCause(err: unknown): Record<string, unknown> | undefined {
   }
 }
 
+function wrapGenericError(err: unknown): MongoDBOIDCError {
+  if (MongoDBOIDCError.isMongoDBOIDCError(err)) return err;
+  return new MongoDBOIDCError(errorString(err), {
+    codeName: 'GenericError',
+    cause: err,
+  });
+}
+
 // openid-client@6.x has reduced error messages for HTTP errors significantly, reducing e.g.
 // an HTTP error to just a simple 'unexpect HTTP response status code' message, without
 // further diagnostic information. So if the `cause` of an `err` object is a fetch `Response`
 // object, we try to throw a more helpful error.
 export async function improveHTTPResponseBasedError<T>(
   err: T
-): Promise<T | MongoDBOIDCError> {
+): Promise<MongoDBOIDCError> {
   // Note: `err.cause` can either be an `Error` object itself, or a `Response`, or a JSON HTTP response body
   const cause = getCause(err);
   if (cause) {
     try {
       const statusObject =
         'status' in cause ? cause : (err as Record<string, unknown>);
-      if (!statusObject.status) return err;
+      if (!statusObject.status) {
+        return wrapGenericError(err);
+      }
 
       let body = '';
       try {
@@ -306,10 +316,10 @@ export async function improveHTTPResponseBasedError<T>(
         { codeName: 'HTTPResponseError', cause: err }
       );
     } catch {
-      return err;
+      return wrapGenericError(err);
     }
   }
-  return err;
+  return wrapGenericError(err);
 }
 
 // Check whether converting a Node.js `Readable` stream to a web `ReadableStream`